published on January 14, 2019
The NIS Directive: What It Means and How You Can Prepare for It
by Tom Nuth
The NIS Directive is the first piece of European-wide legislation on cybersecurity. However, before you judge this comprehensive legal guideline as something that is only relevant to companies and organizations in Europe – think again.
What is the NIS Directive, Anyway?
The NIS Directive is the first EU-wide piece of legislation on cybersecurity, including the UK. It rolled out beginning in May of this year and focuses primarily on regulating operators of essential services, such as transport, energy, banking, and healthcare, and providers of digital services. In other words, it affects ICS network operators.
Following the implementation of the Directive in May, EU member states and the UK will have the remainder of 2018 to identify which organizations they deem to be “operators of essential services” and “providers of digital services”. For many of these selected organizations, the NIS Directive has two main requirements:
- First, organizations must take appropriate technical and organizational measures to manage threats to networks and information systems – including connected industrial assets.
- Second, organizations are required to notify “without undue delay” the authorities about any significant security incident.
Is the NIS Directive Important for ICS Asset Owners?
The short answer is YES.
While the NIS Directive has surfaced to the forefront of security discussions along with GDPR, they are very different. The NIS Directive is primarily meant for organizations involved in the provision, procurement and management of critical infrastructure services and their respective control systems, while the GDPR addresses all organizations that process personal data.
Regardless of your vertical, role or existing security strategy, the NIS Directive is critically important for maintaining your organization’s ability to do business in, and with, the EU and the UK. For most manufacturing, energy, and transportation organizations with global business interests, complying with the NIS Directive will become a necessary reality, since roughly 25% percent of the world’s GDP comes from the EU and UK according to Eurostat.
What If I Can’t Comply?
Compliance isn’t much of a choice. While penalties for the failure to adhere to the Directive within the EU vary according to state, they are generally quite severe. In the UK, the government plans to enact fines for non-compliance of up to £17 million or 4% of a company’s global turnover, and in the Netherlands, fines could reach as much as €5 million. According to cybersecurity documents published by the European Parliament between 2016 and 2017, strict penalties will be enforced beginning in 2019 for other EU member states, as well.
To avoid any potential penalties, global companies should carefully review the Directive and update internal standards, as well as invest in new technology, to make sure they can prove NIS compliance.
I’m an ICS Asset Owner – What Do I Need to Do Now?
Since the NIS Directive is a directive, and not a regulation, it is up to each member state to decide how it will be implemented in legislation. Because of the potential for variation, compliance may seem ambiguous for ICS asset owners doing business in the EU.
Despite this potential for variation in each member state, there are a few key capabilities that are clearly outlined in the Directive. To ensure compliance with the NIS Directive, regardless of your vertical or application, you must:
- Secure the systems and facilities used for the provision of essential services (including ICS)
- Monitor both IT and OT networks with comprehensive threat detection systems
- Demonstrate mature incident management and remediation protocol
- Implement effective and accurate incident reporting mechanisms
Will the NIS Directive Change?
The NIS Directive was created to keep organizations responsible, accountable and educated on evolving cyber threats that can affect economies and people. Because the cyber threat landscape is always evolving, we can expect that the NIS Directive will evolve as well. To adapt to these changes, selecting and investing in the right cybersecurity tools will be an important strategic business decision. Make sure that whatever system you build and deploy can scale and evolve with changing operational needs and new cyber threats.
Below are a few capabilities that you will want to assess in any IT or OT cybersecurity solution:
- Comprehensive threat detection capability
- Support for workflow integration and real-time incident management
- Detailed asset inventory and reporting
- Ability to report and provide evidence of security policy implementation
- Ability to track and manage security audit results
Although the NIS Directive may seem demanding, the benefits of a more cyber secure economy will outweigh the compliance burden. Fortunately, there are also tools that can help streamline compliance with ever-evolving standards and regulations like the NIS Directive.
 The EU in the world - economy and finance; https://ec.europa.eu/eurostat/statistics-explained/index.php/The_EU_in_the_world_-_economy_and_finance
 New fines for essential service operators with poor cyber security; https://www.gov.uk/government/news/new-fines-for-essential-service-operators-with-poor-cyber-security